solophp / session
Secure PHP Session Handler with advanced security features
v1.1.0
2024-12-14 07:23 UTC
Requires
- php: >=8.1
README
Secure PHP session handler with advanced security features and session management.
Features
- Secure session configuration out of the box
- Session timeout management
- Session integrity checks (IP and User-Agent validation)
- Protection against session fixation attacks
- Strict session management
- Cookie security controls
- Session status monitoring
Requirements
- PHP 8.1 or higher
Installation
composer require solophp/session
Basic Usage
use Solo\Session; // Create session with default secure settings $session = new Session(); // Store data $session->set('user', $userData); // Get data $userData = $session->get('user'); // Check if data exists if ($session->has('user')) { // ... } // Remove data $session->unset('user'); // Clear all data $session->clear(); // Completely destroy session $session->destroy();
Advanced Configuration
$session = new Session( lifetime: 3600, // Cookie lifetime in seconds (0 = until browser closes) secure: true, // Require HTTPS httpOnly: true, // Prevent JavaScript access sameSite: 'Strict', // CSRF protection (Strict|Lax|None) path: '/', // Cookie path domain: '', // Cookie domain useStrictMode: true, // Enable strict mode gcMaxlifetime: 86400, // Session garbage collection lifetime useCookiesOnly: true, // Prevent session ID in URLs timeout: 1800 // Session timeout in seconds );
Security Features
Session Timeout
Sessions automatically expire after a period of inactivity (default 30 minutes):
// Check if session has expired if ($session->isExpired()) { // Handle expired session } // Get last activity timestamp $lastActivity = $session->getLastActivity();
Session Integrity
Sessions are validated against:
- User's IP address
- User's browser (User-Agent)
- Session initiation status
Cookie Security
Secure cookie settings:
- HttpOnly flag
- Secure flag (HTTPS only)
- SameSite attribute
- Configurable domain and path
- Optional lifetime
Available Methods
Data Management
// Get value with default fallback $value = $session->get('key', 'default'); // Set value $session->set('key', 'value'); // Check existence $exists = $session->has('key'); // Remove specific key $session->unset('key'); // Get all session data $allData = $session->all(); // Clear all data $session->clear();
Session Management
// Regenerate session ID $session->regenerateId(); // Destroy session completely $session->destroy(); // Get current session ID $id = $session->getCurrentId(); // Get session cookie name $name = $session->getCookieName(); // Get session save path $path = $session->getSavePath(); // Get session status $status = $session->getStatus(); // Get configured timeout $timeout = $session->getTimeout();
Session Status Values
PHP_SESSION_DISABLED
= 0PHP_SESSION_NONE
= 1PHP_SESSION_ACTIVE
= 2
Best Practices
- Always use HTTPS in production (
secure: true
) - Set appropriate timeout values for your application
- Consider using 'Strict' SameSite setting for better security
- Monitor session activity using provided methods
- Handle expired sessions appropriately
- Use session regeneration for sensitive operations
License
MIT